ICS Security Progress Masked by Vulnerability Reports

(This article was originally published on the Findings From the Field blog.)

I just finished looking through two government reports from earlier this year on cyber security vulnerabilities: the DHS Control Systems Security Program (CSSP) Common Cyber Security Vulnerabilities Observed in DHS Industrial Control Systems Assessments and the Idaho National Laboratories (INL) National Security Test Bed (NTSB) Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses. The reports have a lot of similarities and are useful, to a degree. A casual reading of the reports however, suggests that we've made no progress in securing important control systems. This is incorrect - much progress has been made. What we really need to measure ICS security progress is not lists of high-priority vulnerabilities, but rather reports quantifying deviations from best practices and defense-in-depth postures.


Review of Digital Bond Podcast - Ralph Langner Stuxnet Interview

(This article was originally published on the Findings From the Field blog.)

I spent an hour yesterday listening to Dale Peterson's podcast with Ralph Langner about the Stuxnet worm. I've complained in the past that Ralph jumps to conclusions and that his terminology tends to lead others to jump as well. So I was surprised to find the podcast to be a thoughtful discussion of issues surrounding the worm. I still differ with Ralph on several topics, especially speculation as to who will author the next advanced threat targeting control systems. Overall though, the podcast really is worth listening to, especially so for people considering where Stuxnet fits in their risk models. Details follow...


Gartner: Security Lessons Learned from Stuxnet

(This article was originally published on the Findings From the Field blog.)

I had opportunity to read the Gartner Security Lessons Learned from Stuxnet research note a few days ago. The note was encouraging in one sense: Gartner has a lot of influence with corporate decision-makers and it is good to see them covering control system and operations issues. The bulk of the note was useful – advice to take operations security more seriously, to put strong operations security programs in place and so on. But in the end, none of the “lessons learned” seemed drawn from the Stuxnet worm. The lessons seemed drawn from run-of-the-mill botnet threats that most businesses face every day, rather than from recent targeted threats, or the worm many describe as “the most sophisticated malware ever.”


Security Basics: Secure Application Design

(This article was originally published on the Findings From the Field blog.)

Siemens received a lot of criticism when people learned that the Stuxnet worm used a hard-coded password to access WinCC databases remotely and compromise them. Some of the criticism was justified, and some was not. In this posting we explore what a secure application looks like, especially control system type applications with intensive server/server communications, and requirements for unattended reboot.